FTP Users problem

[Di0g0]

Hi

I have the following problem:

I have a gaming panel running on my VPS, but that panel only allows users to start and stop the server, so I need to create an ftp account in my VPS to allow them upload the game files.

The problem there is, my gaming panel uses an SSH connection to start&stop servers so i can't block shell to the user used by the panel. I want to create other accounts and block the accounts to a folder on other ubuntu account.


Example:

Game Panel --> Connects using linux account: servers (Via SSH) /home/servers/

Now I will create 2 folders inside of this home/servers/, 1 folder named SAMP, and another named Minecraft.

Now I need to create 2 FTP users blocked to /home/servers/SAMP/ and another blocked to /home/servers/Minecraft with full acess to this folders (Write,Read,Execute), but without shell acess.

Thanks

[Lars Noodén]

Since you already have SSH running one way to go about allowing uploads would be to use SFTP. That's built into your SSH server.

Also, with SFTP it is easy to lock down and disallow shell access for groups of users. Use a Match directive in sshd_config.

Code:

Subsystem sftp internal-sftp

Match Group sftp-only
        AllowTCPForwarding no
        X11Forwarding no
        ForceCommand internal-sftp

Then to allow SFTP access, but disallow shell access, just add the users to the grouo sftp-only.

If you want something more complex with virtual users that exist only in the (S)FTP server, then there is VSFTPd.

[Di0g0]

Ya, but that only prevents shell access.. or I'm wrong? I can lock a user to other user folder ? If the answers is yes, where I have to config the path for that user? Each user have a different path

Like this:

user servers contains all the servers inside his home directory.

paneluser only can view via sftp the folder /home/servers/paneluser.

[Lars Noodén]

You can also lock a user to a specific folder using the ChrootDirectory directive. The tricky part with that is that the chroot destination must be owned by root and not writeable by anyone else. However, subdirectories can be owned and writable by whoever.

So if you chroot to /home/servers/ you can have /home/servers/paneluser owned and writable by your user. Then you could connect directly to that directory:

Code:

sftp user@server:/paneluser

Note that there the directory will appear to be in the root directory because of the chroot.

[Di0g0]

I'm a bit confused... Can you make an easy tutorial with the basic steps so I can try?

I formatted my VPS because I messed up my ubuntu

[Lars Noodén]

Well, before starting you'll need to search around for material about chroot so that you know what it does. In a nutshell, it makes a subdirectory appear to be the root directory for a user or process and nothing above that directory should be visible.

Next you'll have to work with the ssh server's configuration file, sshd_config. The changes you need to make are very simple so there will not be much written about them, it's mostly a matter of getting comfortable with what the manual pages for sshd_config say about the directives you will use.

Code:

Subsystem sftp internal-sftp

Match Group sftp-only
        AllowTCPForwarding no
        X11Forwarding no
        ForceCommand internal-sftp
        ChrootDirectory  /home/servers/

Look up Match, ForceCommand, and ChrootDirectory in the manual page for sshd_config(5). The above will allow any user in the group sftp-only to connect with SFTP but otherwise not be able to log in. Further, it will restrict those users to what is within the directory /home/servers/, which could mean the directory paneluser.

[Di0g0]

Thanks!

Then it is possible to give account servers permissions to all the folders inside his home directory /home/servers/, and give permissions to the user paneluser only on his folder /home/servers/paneluser?

[Lars Noodén]

Yes, but the permissions would be handled the same as regular file and directory permissions in Linux. It's not something peculiar to ssh.

In general if you want group write access, you have to assign permissions on a group basis and have the accounts be members of that group to be affected.

[Di0g0]

Thanks

How can I limit a specific user to can only acess via SSH/SFTP from only 1 IP defined by me?

Nvm, i solved that alone. Thanks anyway!!

[Lars Noodén]

I'm guessing that it would be something like this in sshd_config. You'd need to have Match conditional blocks for both conditions.

Code:

Subsystem sftp internal-sftp

Match Group sftp-only, Address 192.168.0.100
        AllowTCPForwarding no
        X11Forwarding no
        ForceCommand internal-sftp
        ChrootDirectory  /home/servers/

Match Group sftp-only, Address *,!192.168.0.100
        DenyGroups sftp-only

Mind the spaces, or lack of them.